This is the fifth post in a series on Vault. For previous posts see, Getting Started, Secrets Engines, Manage Policies, and Access Secrets.
One of the key powerful features of Vault is the ability to dynamically generate credentials. The previous post on Secrets Engines discussed the possible database options Vault provides for dynamic credentials.
This example will take a look at using Vault to generate dynamic credentials for PostgreSQL. However, keep in mind that there is a large list of supported databases.
The general workflow is:
- Enable database secrets engine
- Create connection string to database with specific database plugin
- Create necessary roles
- Generate database role credentials as needed
The workflow begins with enabling the secrets engine and configuring the necessary database-specific plugin. View the page for the database required for more specific details about the plugin name, template connection URL, as well as other settings.
Here is an example for PostgreSQL where a templated connection URL is passed:
The above read-only role will be created in a following step.
Once the user is configured, Vault recommends rotating the user’s password. Running the following will ensure that the vault user specified above has a new password and that user is only accessible by Vault itself:
Now that Vault can talk to the database the final configuration step is to create a Vault role for the database that will create credentials with specific TTLs. When a user or application requests a credential this statement will run to create the dynamic credentials with the correct permissions and return the new credentials.
Below is an example to give read-only access with some TTLs set:
Of course the creation statement is flexible such that a role could grant access to a specific database or table and with speicifc read or write permissions.
Finally, to put this to work users can request dynamic credentials and each request will produce a unique set of credentials:
Vault will automatically delete expired credentials. And if a compromise is discovered, users can revoke credentials immediately.
This similar workflow applies to Vault’s large list of supported databases.
The next post will look similarly generating dynamic secrets using a cloud secrets engine.